Blog

What Is Penetration Testing?

Saaim Khan
May 11, 2020
Home

Let's Get STARTED

Cyber security should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.

Cybercrime has been constantly rising over recent years with attacks becoming more frequent, varied, and sophisticated. The numbers speak for themselves. The Ponemon Institute’s 2019 data breach report showed the average cost of a breach to be a huge $3.92 million with costs lasting for years after the attack. Penetration testing mimics these cyberattacks, testing the security of an organisation and its ability to fight back. In this blog, Security Practice Director, Saaim Khan explains what penetration testing is, the different types of testing, and the benefits to an organisation.

WHAT IS PENETRATION TESTING?

Penetration testing, otherwise known as pen testing, is a simulated cyber-attack. While every organisation will have security defences in place, they are often not tested until it’s too late – when a cybercriminal undertakes an attack. Penetration tests aim to:

  • Discover weaknesses in infrastructure, applications, and people.
  • Discover whether implemented controls are effective.
  • Discover new bugs in existing software.

Ultimately, penetration testing is a security exercise that aims to identify weak spots that cyber threat actors could take advantage of. Once identified, it gives businesses the chance to remedy or patch these weaknesses and implement new security policies to ensure they are operating with an acceptable level of risk and in line with regulations and industry standards.

HOW IS PENETRATION TESTING ACHIEVED/PERFORMED?

Pen tests are generally carried out by outside contractors who have little knowledge of the system or organisation in question as they are more able to expose blind spots. Penetration testers, otherwise known as ethical hackers, can be experienced developers/security consultants or reformed criminal hackers. Regardless of who is carrying out the test, however, the process will include planning, reconnaissance, gaining access, and analysis.

After completing a penetration test, the ethical hacker will share their findings with the target company’s security professionals. The information can be used to improve security, patch vulnerabilities, and enforce tighter policies.

THE DIFFERENT TYPES OF PENETRATION TESTING

While all penetration testing follows stages of reconnaissance, attack, and analysis, there are different methods that can be used. This is, ultimately, the planning phase of a pen test, where the scope and testing methods are decided upon. The key types of penetration testing include:

  • External testing – targeting a company’s external-facing assets such as the company website, email, and domain names servers. The aim is to assess the effectiveness of a company’s firewalls and other intrusion-prevention systems.
  • Internal testing – targeting an application behind a company’s firewall, imitating an insider attack within the company’s internal network. The aim is to determine how much damage a disgruntled employee or malicious actor with stolen employee credentials could cause.
  • White box testing – targeting a company with some information ahead of time regarding the target company’s security information. The aim is to simulate a malicious insider who has knowledge of the target system.
  • Black box testing – targeting a business blindly with only the business name as a starting point. The aim is to imitate a real-time assault.
  • Covert testing – targeting a business double-blind with no background information and the majority of the company, including the security professionals, having no prior knowledge of the attack. The aim is to simulate a real-world situation where the company isn’t expecting the breach to take place.
  • Targeted testing – targeting a business with the security personnel’s knowledge, working together, and explaining each other’s movements. The aim is to create a valuable training exercise with real-time feedback from a hacker’s viewpoint.

THE BENEFITS OF PENETRATION TESTING

According to PWC’s Global State of Information Security Survey, only 38% of organisations are prepared for a sophisticated cyber-attack. When this is coupled with the astoundingly high average cost of today’s data breaches, companies need to prepare themselves. By employing the services of pen testers, organisations can gain a fresh opinion, implement a combination of methodologies to simulate attacks, gain remediation advice, and fully evaluate their risk exposure to make informed business decisions.

Penetration testing is one of the most effective ways for companies to truly discover the vulnerabilities in their organisation and its security systems. However, pen testing isn’t a one-off activity, the cyber landscape is constantly evolving, and threats are becoming ever more sophisticated. Penetration testing should be used regularly to ensure cyber controls are working.

To understand a bit more about Infotrust’s Security Assurance services click here.